Hello,for study purposes I have to break an old apache version, the 1.3.x.

I'm focusing on the chunked encoding vulnerability because it can allow me to execute arbitrary code and, using metasploit, I managed to hack an apache 1.3.9 version on windows xp sp2.

Problem is that I have to do this on a compiled version too...the metasploit hacking seems to work just with the binaries, if I compile myself the apache 1.3.9 the exploit seems to not work.

Final objective is to inject some detection code into apache's source code, so just hacking the binary version is not enough...can you help me out?It's really strange because compilation goes just fine, I did it by command line using vc++ 6 with command:

Code:

nmake /f _apacher

as guide suggests....moreover I checked source code too and it presents the boundary condition which is used by the exploit.

edit:by the way I came to discover what piece of code was exploited by reading a comment on an exploit's source code found in the web, if you have some good reference to this chunked encoding exploit be free to direct me as I'd like to understand better (I already checked securityfocus.com and nist but they just mention the weakness, I'd like some deepest analysis).

Last edited by phate867 on Sun Apr 14, 2013 1:08 pm, edited 1 time in total.

If this fails, there is a chance that this is a custom build of Apache and that you will need to use an operating system specific return address instead.

seem to be my case. I don't know how to find this os specific return address though...can I have some hint, any good advice in order to set the return address correctly?I attach you the module, it's really quite simple and already configured to change return addresses

Thank you, I solved!!:DIn order to find the right address I used the msfpescan utility, then I just added my own build to the already existing exploit module and it worked Thanks for links too, last 3 in particular are very interesting.

Last edited by phate867 on Sun Apr 14, 2013 1:12 pm, edited 1 time in total.